On Friday (05/12), the Brazilian Data Protection Authority (ANPD) published Technical Note No. 4/2023/CGTP/ANPD with a diagnosis of the study it conducted to verify the conformity of the processing of personal data by drugstores with the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD).
In more detail
The study was motivated due to investigations by the Public Prosecutor Office of the Federal District and Territories – MPDFT, due to the Conduct Adjustment Agreement entered into between the Public Prosecutor Office of the State of Minas Gerais – MPMG and a drugstore chain, due to complaints from data subjects and due to a notification from a civil society organization of protection of consumer consumers’ rights regarding pharmaceutical retail market practices regarding the processing of personal data.
By conducting a random monitoring of the sector, between 2020 and 2021, ANPD assessed the state of maturity of the processing activities of personal data carried out by drugstores. In addition to the study, ANPD also promoted workshops, technical meetings and dialogues with associations representing the drugstore sector.
The Technical Note presents the criteria used by ANPD to conduct its assessment and to produce its preliminary findings on data processing by the sector. In general, ANPD identified, for example, low maturity of processing agents, lack of knowledge of LGPD concepts, lack of preparation on the subject of data protection, lack of full compliance with LGPD with regards to some data processing, data processing for purposes other than those informed to the data subjects, lack of transparency regarding the processing performed, excessive use of biometric data, need to improve measures of prevention, information security governance and risk assessment for the processing of personal data, among other issues.
ANPD showed concern about specific aspects that should be included in the drugstores data protection conformity projects and adopted an educational approach, pointing out what the next measures will be for guidance and monitoring of companies in the sector.
The Technical Note reveals some relevant aspects that were taken into account and measures adopted by ANPD for its assessment of compliance with LGPD. We highlight some of these aspects below:
- conduction of investigation to understand the architecture of personal data processing activities and the categories of processed data, given the variety of models and multiplicity of processing agents;
- inspection of the institutional websites of the studied drugstores to confirm whether they provided information regarding their privacy policies;
- analysis of samples of privacy policies from the studied drugstores and from other pharmaceutical groups with greater territorial coverage and with significant number of customers, aiming at verifying their adequacy to LGPD;
- analysis of the legal basis used to justify the processing of personal data and of the inconsistencies it identified;
- selection of some common practices in these drugstores to conduct deeper investigation of the processing activities they involved, such as discounts offers linked to the collection of personal data without clear information for data subjects; healthcare insurance plans (that offers benefit and discounts to its users); loyalty programs; benefit programs; communication and marketing; delivery services; and data sharing with third parties;
- risk of defective consent for data processing in loyalty programs and discount offers;
- verification of how drugstores process biometric data, the proportionality of these processing activities in light of the intended purposes, and how they inform data subjects of these processing activities, as well as consideration on the use of other tools for identity verification that may be less burdensome in relation to use of sensitive personal data, such as username and password – Note: Until now, ANPD has not published a regulation regarding the processing of biometric data. However, in its Regulatory Agenda for the 2023-2024 biennium (Ordinance No. 35/22), ANPD predicts that it will begin to regulate biometric data within one year and six months of its publication;
- verification of the existence (or not) of prevention and security measures compatible with the data processing carried out.
As final considerations, ANPD remarks that, as a result of this study on the pharmaceutical retail sector:
- it succeeded in consolidating the main points of concern in relation to sectoral adequacy projects;
- it identified which points still need further investigation and clarification;
- it verified the need for further research and investigation regarding loyalty programs, and the need for pursuing more information from processing agents external to the relationships among drugstore chains (companies that manage these programs), in order to seek more clarity about the functions of each processing agent in the processing of personal and sensitive data within the scope of loyalty programs, as well as on the forms of data sharing with and by the managers of these programs;
- it understands that the knowledge generated (with this study) can be reverted on behalf of to the society through the preparation of educational material for the sector, indicating the concerns raised and appropriate measures of adequacy for the types of processing described therein;
- it proposes a joint initiative with the National Consumer Secretariat – SENACON – to define regulation and compliance strategies for the sector regarding the conditioning of prices to the provision of consent in some processing of personal data by the sector;
- it suggests verifying that possible sectorial guidelines may be prepared by the General Coordination for Standardization;
- it submits the Technical Note for consideration and analysis by the General Inspection Coordination and for the adoption of any measures it deems appropriate, especially for the purposes of planning inspection activities, inventive of a culture of data protection, for correction of irregular practices and repair any damages, among other actions.
The Technical Note has not regulatory nature, but demonstrates ANPD understandings on matters related to data protection and gives indications on how the Authority will interpret and make decisions on the topics addressed therein.
In addition, the Technical Note also may give an indication as to how the ANPD may conduct studies and investigations in other sectors for the purposes of regulation, inspection and application of penalties.